{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/user-creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["low"],"_cs_tags":["okta","identity","user-creation","credential-access"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert detects the creation of new user accounts within an Okta environment. While legitimate user creation is common, malicious actors may create accounts to gain unauthorized access to resources, escalate privileges, or establish persistence within the network. Monitoring for anomalous user creation activity, such as accounts created outside of normal business hours or with suspicious naming conventions, is crucial for identifying potential security breaches. Reviewing the source IP and administrator account used for the user creation can also provide valuable context.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta administrator account, potentially through phishing, credential stuffing, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta admin portal.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the user management section within the Okta admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new user account, potentially mimicking an existing user or using a generic naming convention.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the new user account specific roles and permissions, potentially granting elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the newly created account to access sensitive applications and data within the Okta-protected environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised or newly created account to maintain persistence within the Okta environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leading to unauthorized user creation can result in significant data breaches, privilege escalation, and unauthorized access to sensitive applications and resources. This could lead to financial loss, reputational damage, and compliance violations. The impact depends on the permissions granted to the created user and the applications they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;New Okta User Created\u0026rdquo; to your SIEM to detect user creation events and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected user creation events for legitimacy, focusing on the source IP address and the administrator account used.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta administrator accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview Okta event logs regularly for suspicious activity, including user creation, permission changes, and application access.\u003c/li\u003e\n\u003cli\u003eEstablish baseline user creation patterns to identify anomalous behavior, such as accounts created outside of normal business hours.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-okta-user-created/","summary":"Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.","title":"Okta User Account Created","url":"https://feed.craftedsignal.io/briefs/2024-01-23-okta-user-created/"}],"language":"en","title":"CraftedSignal Threat Feed — User-Creation","version":"https://jsonfeed.org/version/1.1"}